Possibility of decryption speed-up by parallel processing in CCA secure hashed ElGamal

In order to prove the ElGamal CCA(Chosen Ciphertext Attack) security in the random oracle model, it is necessary to use the group where ICDH(Interactive Computational Diffie Hellman) assumption holds. Until now, only bilinear group with complex algebraic structure has been known as the ICDH group. In this paper, we introduce the ICDH group with simple algebraic structure. In other words, we prove that ICDH assumption holds in the integer group with composite modulus. On the basis of this, we propose the CCA secure hashed ElGamal and its fast variant to speed up decryption by parallel processing. Our parallel scheme has the fastest decryption among all CCA secure PKE(Public Key Encryption) schemes implemented in integer group and gives the possibility that ElGamal protocol could be practical when the big modulus numbers are used to resist the quantum attack.


Introduction
After the discovery of DH(Diffie Hellman) key exchange protocol [1], many PKE schemes [2][3][4][5][6][7][8] based on CDH(Computational Diffie Hellman) problem have been developed and widely used.In modern ElGamal systems, using DH value itself to mask plaintext via multiplication is not recommended and DH value is used to derive the symmetric encryption key which is used to encrypt the plaintext in the semantically secure symmetric encryption.In order to prove the CCA security, CDH, DDH(Decisional Diffie Hellman) [9] and ICDH [10] assumptions are basically used.CCA security is a strong and very useful notion of security for PKE schemes [11][12][13].
In the random oracle model [14], hashed ElGamal is proved to be CCA secure (i.e., to be semantically secure against Chosen Ciphertext Attack) under the ICDH assumption and twin ElGamal is proved to be CCA secure under the CDH assumption [6,7,10].Without random oracle model [3], Cramer-Shoup scheme is proved to be CCA secure under the DDH assumption.Table 1 shows the comparison between hashed ElGamal, Twin ElGamal and Cramer Shoup scheme.
As shown in Table 1, among the above CCA secure protocols, hashed ElGamal is advantageous in the aspect of optimal ciphertext overhead(difference between ciphertext and plaintext) [7] and encryption/decryption efficiency.However, hashed ElGamal can be implemented only in ICDH group for the CCA security.At present, only bilinear group in which ICDH assumption is known to be equivalent to the CDH assumption [15] has been known as ICDH group.
However, bilinear group needs the special elliptic curve with more complex structure and so, CCA secure ElGamal system is most commonly implemented as twin ElGamal or Cramer-Shoup scheme in simple groups where CDH or DDH assumption holds.In other words, twin ElGamal or Cramer-Shoup scheme is commonly used instead of hashed ElGamal in practice.
To the best of our knowledge there are no results in the literature introducing the ICDH group with simple algebraic structure.
In this paper, we present a simple ICDH group and propose the CCA secure hashed ElGamal which has the possibility of fast decryption by parallel processing.
We highlight the following key results of our study: • We prove that ICDH assumption holds in the integer group with composite modulus.
• In the integer group with composite modulus, we propose the hashed ElGamal and prove the CCA security.
• We modify the logical structure of hashed ElGamal to speed up decryption by parallel processing.
This paper is organized as follows.In Section2, we describe the important relevant preliminaries including PKE and reasonable assumptions.In Section 3, we analyze the CCA security of hashed ElGamal in G and propose a fast variant of hashed ElGamal in which decryption can be sped up by parallel processing.In Section 4, we show the some theoretical and experimental results of our implementation.In Section 5, we discuss the possibility of further reducing decryption time.Finally, we conclude with Section 6.

Preliminaries
A PKE scheme is a triple of algorithm (K, E, D) such that • Key generation algorithm K: is a probabilistic algorithm that generates a pair of public and private keys (pk, sk).
• Encryption algorithm E: is a probabilistic algorithm that produces ciphertext c E(pk, m) for given message m and public key pk.
• Decryption algorithm D: is a deterministic algorithm that outputs message m D(sk, c) or special reject value ?for given ciphertext c and private key sk.
For each pairs of key (pk, sk) generated by algorithm K, and for every message m; Pr½Dðsk; Eðpk; mÞÞ ¼ m� ¼ 1.
The security of a PKE usually proved under a reasonable assumption.A typical assumption is the computational assumption which is described as the intractability of inverting problems such as factoring a composite number, computing the RSA problem, computing the DL(Discrete Logarithm) problem, and computing the CDH problem.In this case, an inverting problem is, given y and relation f, to find its solution, x satisfying f(x, y) = 1.
Another type of reasonable assumption is described as the intractability of the decision problem such as the DDH problem, which is usually used to prove the CPA(Chosen Plaintext Attack) security of PKE.A decision problem is, given (x, y) and f, to decide whether the pair (x, y) satisfies f(x, y) = 1 or not.
Let, q; pÀ 1 2 ; qÀ 1 2 be prime numbers and n = pq.Let G be the multiplicative subgroup of Z * n with generator g of order l ¼ ðpÀ 1ÞðqÀ 1Þ 2 .Then, above problems are described as follows.Factoring problem: given a composite integer n = pq where the p and q are the safe primes, find p and q.
RSA problem: given y, find an integer x such that x e � yðmod nÞ.DL problem: given a pair ðg; g x jx 2 Z n Þ, find the x.CDH problem: given a triple ðg; g x ; g y jx; y 2 Z n Þ, find the element Y = g xy .DDH problem: given a quadruple of elements ðg; g x ; g y ; g z jx; y; z 2 Z n Þ, decide whether z = xy mod λ or not.
In order to prove the CCA security, strong type of reasonable assumption like Gap DH (Gap Diffie Hellman) assumption [17,[29][30][31][32][33][34][35] or ICDH assumption is usually used, which describes the intractability to solve an inverting problem with the access to the oracle of a related decision problem.A typical problem is, given y and f, to find x such that f(x, y) = 1, with the access to the oracle of, given question (x 1 , y 1 ), answering whether f(x 1 , y 1 ) = 1 or not.Gap DH and ICDH assumption in G are described in following section.

System model
We considered the integer group with composite modulus which is known as DDH group and proved that ICDH assumption holds in this group.In other words, we have proved that breaking generalized ICDH assumption modulo a composite leads to breaking RSA assumption [36] and, on the basis of this, proposed CCA secure hashed ElGamal in G.
In group G, CDH and DDH have been believed to be intractable [9,37,38].Let (n, e) be the RSA public key and d be the RSA private key such that ed�1 mod λ.Assume that an adversary can obtain the generator g of group G and g d (2G)(In RSA, this is possible by randomly selecting generator u and setting g = u e mod n.In this case, g is also a generator and u = g d mod n is satisfied).And assume that r be the element of G.
Then, r = g x is satisfied for some x(2Z n ) and if CDH assumption is broken in G, the adversary can obtain r d (= g xd ) from r (= g x ) and g d .From the fact above, it can be seen that breaking CDH assumption in group G gives the possibility to break the RSA assumption.
Note.Of course, CDH assumption has been already known to be intractable in G [37,38].In this paper, we reconsidered it in correlation with RSA assumption.
Similarly, we proved that ICDH assumption holds in G under the RSA assumption as follows.
In the ICDH problem, access to "DH-decision oracle" is added to CDH problem.Assume that CDH assumption is not broken, but ICDH assumption is broken in G.Then, the adversary can briefly break RSA assumption by using public key e as follows.
In RSA, the adversary can briefly test whether any triple ðu ¼ g d ; v; ŵÞ he likes is a DH-triple (i.e., vd ¼ ŵ for the triple ðg d ; v; ŵÞ) by using the given public key e (i.e., by checking that ŵe ¼ v), without knowledge of any secret key material and so, he never needs to issue queries to the challenger.In other words, the adversary can access the "DH-decision oracle" that recognizes DH-triples of the form (g d ,�,�) offline on his own.
Note that in hashed ElGamal, the adversary has to access the "DH-decision oracle" online (more precisely, the adversary has to issue the decryption queries to the challenger in the "DHdecision oracle") [7,10].
Consequently, the adversary can obtain r d (= g xd ) from r (= g x ) and g d by using his own "DH-decision oracle" and so, it can be seen that breaking ICDH assumption in group G also gives the possibility to break the RSA assumption.See the proof of Theorem2 for more details.
When modulus n is large enough (2048bit), RSA assumption is not broken.Hence, in group G, ICDH assumption holds and hashed ElGamal is CCA secure for the large modulus.
Next, we modified the hashed ElGamal a little to speed up decryption by parallel processing.We converted the large private key to the group of small private keys and modified the encryption process so that small private keys are used in decryption.In this case, it is possible to speed up decryption by parallel processing.The results of modification are encouraging and show that hashed ElGamal can be still practical even when the big modulus number is used to resist the quantum computing.

CCA secure hashed ElGamal in integer group with composite modulus
The most important security guarantee needed for PKE is semantic security.Semantic security is classified into CPA security(Semantic security against chosen-plaintext attacks) and CCA security(Semantic security against adaptive chosen-ciphertext attacks) which are described as follows.
Algorithm 3.1: Chosen plaintext attack game, played between a challenger and adversary A.
Step1.The challenger generates a public key/private key pair (pk, sk), and sends the public key pk to A.
Step2.A makes one challenge query, which is a pair of messages (m 0 , m 1 ) and sends them to the challenger.
Step3.The challenger chooses b2{0, 1} at random, encrypts m b , and sends the ciphertext The advantage of adversary is defined as Adv cpa ¼ jPr½ b ¼ b� À 1=2j: The scheme PKE is secure against chosen plaintext attack if for all efficient adversaries A, the advantage Adv cpa is negligible.
Algorithm 3.2: Chosen ciphertext attack game, played between a challenger and adversary A.
Step1.The challenger generates a public key/private key pair (pk, sk), and sends the public key pk to A.
Step2.A makes a number of decryption queries to the challenger; each query is a ciphertext c; the challenger decrypts c, and sends the result m D(sk, c) to A.
Step3.A makes one challenge query, which is a pair of messages (m 0 , m 1 ) and sends them to the challenger.
Step4.The challenger chooses b2{0, 1} at random, encrypts m b , and sends the ciphertext c* E(pk, m b ) to A.
Step5.A makes more decryption queries, just as in Step 2, but with the restriction that c6 ¼c*; The advantage of adversary is defined as Adv cca ¼ jPr½ b ¼ b� À 1=2j.The scheme PKE is secure against chosen ciphertext attack if for all efficient adversaries A, the advantage Adv cca is negligible.
Note.A function ε(k) is said to be negligible if for every i>0 there exists If the security of PKE is proved in the random oracle model, hash functions are replaced by random oracle queries, and both challenger and adversary are allowed to access the random oracle in the above attack games.
In group G, we propose a CCA secure ElGamal whose ciphertext overhead consists of only one group element as follows.
Algorithm 3.3: Key generation for hashed ElGamal in G.
Each user creates the public key and the corresponding private key.
Step1.Select a multiplicative cyclic group G of order l ¼ ðpÀ 1ÞðqÀ 1Þ 2 À � , with generator g where p, q, pÀ 1 2 and qÀ 1 2 are large primes.In this case, G becomes a subgroup of Z * nð¼pqÞ .This can be described in detail as follows.Step1.1.Select the large primes p, q, p 0 and q 0 such that p = 2p 0 +1 and q = 2q 0 +1 and calculate n pq; l 2p0q0ð¼ lcmðp À 1; q À 1ÞÞ and q inv = q −1 mod p. Step1.2.Select the generator g p of Z * p and generator g q of Z * q and calculate gð2 Z * n Þ that satisfies g p = g mod p and g q = g mod q as follows.
In this case, g becomes a generator of G.
Step2.Select a random integer xð1 � x < l; gcdðx; lÞ ¼ 1Þ and compute the group element u g x .
This can be described in detail as follows.

Step2.2. Calculate u p g
x p p mod p; u q g x q q mod q and u ððu p À u q Þq inv mod pÞq þ u q : In this case, u ¼ g x mod n; x p ¼ x modðp À 1Þ and x q ¼ x modðq À 1Þ are satisfied.
Step3.Public key is (g, u, n) and private key is x.This can be described in detail as follows.
Step3.1.Public key is (g, u, n) and private key is (x, x p , x q , p, q).
Encryption and decryption use the symmetric encryption (E s , D s ) defined over (K s , M s , C s ) and hash function H(G 2 !K s ).Algorithm 3.4: Encryption for hashed ElGamal in G.
User encrypts a message m2M s , where M s is a message space of (E s , D s ).
Step2.Select a random integer y(1<y<n) and compute group elements v g y , w u y and hash value k s H(v, w).
Step3.Encrypt the message m by using symmetric encryption E s and key k s .

c E s ðk s ; mÞ
Step4.Send the cipher text (v2G, c2C s ).C s is a cipher text space of (E s , D s ).Algorithm 3.5: Decryption for hashed ElGamal in G.
User recovers message m from (v, c).
Step1.Compute the group element w v x and hash value k s H(v,w).
Calculation of w can be done fast by using CRT(Chinese Remainder Theorem) exponents x p and x q as in CRT-RSA [39].
Step1.1.Calculate v p v mod p; v q v mod q and q inv ¼ q À 1 mod p.

Step1.2. Calculate w p v
x p p mod p and w q v x q q mod q: Step1.
We define Game1 as a modified version of Game0, which is the actual attack game to hashed ElGamal in G.In each game, b denotes the random bit chosen by the challenger, while b denotes the bit output by A. For j = 0, 1, we define W j to be the event that b ¼ b in Game j.
From the assumption, Game 0. Challenger selects x, y randomly so that x; y 2 Z l ; gcdðx; lÞ ¼ 1 and calculates The random oracle is implemented by using an array Map : Z * n 2 !K. Challenger selects k2K randomly and sets Map[v, w] = k.And challenger sends the public key u to adversary A. Then, adversary A outputs a pair of messages (m 0 , m 1 ) and challenger produces the ciphertext (v, c = E s (k, m b )) by flipping a coin b.
-When random oracle is queried at ðv; ŵÞ 2 Z * n 2, challenger acts as follows.If Map½v; ŵ� ¼ ; then select k2K randomly and set Map½v; ŵ� ¼ k.The answer corresponding to random oracle query at ðv; ŵÞ is Map½v; ŵ�.Game 1.We modify Game0 by setting Map [v, w] Let Z be the event that the adversary queries the random oracle at (v, w) in Game 1. Then If event Z happens, then one of the adversary's random oracle queries is (v, w), where w = v x .Also, challenger uses x and y only to compute u and v in Game1.Hence, we can use adversary A to build adversary B cdh to break the CDH assumption.B cdh chooses one of the A's random oracle queries ðv; ŵÞ at random, and the probability that such ŵ ¼ w will be chosen from random selection is at least Pr[Z]/Q.In other words, Meanwhile, in Game 1, the key k is used only to encrypt the challenge plaintext.Hence, we can also use adversary A to build IND-CPA adversary B s in symmetric encryption (E s , D s ).
From the definition of IND-CPA adversary, By combining (2), ( 3), ( 4) and ( 5), we can obtain (1).(end of proof) Theorem1 shows only the CPA security of hashed ElGamal in G.For the CCA security, a stronger assumption is needed.
Assume that the adversary selects arbitrary elements vð2 Z * n Þ and ŵð2 Z * n Þ, and computes ks ¼ Hðv; ŵÞ and ĉ ¼ E s ð ks ; mÞ for some arbitrary message mð2 M s Þ.Further, assume the adversary gives the ciphertext ðv; ĉÞ to a "decryption oracle" and obtains the decryption m ¼ D s ðHðv; vx Þ; ĉÞ.Now, it is very likely that m ¼ m if and only if ŵ ¼ vx .See [7] and [10] for more details.
Note.Decryption algorithm does not verify that v 2 G (Of course, such a verification can be easily done, but it requires additional calculation.Furthermore, it could present a more attractive target for the adversary because it gives an oracle to check whether or not v 2 G? for an arbitrary element v 2 Z * n ) for given ciphertext ðv; cÞ (See Algorithm3.5) and so, v 2 Z * n and ŵ 2 Z * n can be used instead of v 2 G and ŵ 2 G, respectively, in the CCA scenario (more precisely, in the definition of DH-triple ðu; v; ŵÞ).
For Uð¼ g x Þ 2 G; V 2 Z * n , define the predicate dh(U, V)≔V x and for U 2 G; V ; Ŵ 2 Z * n , define the predicate dhpðU; V ; Ŵ Þ≔ðdhðU; V Þ ¼ Ŵ ?Þ. (These are little different from the definition of [7, Section1.1]and [10,Section11.4] because V ; Ŵ 2 Z * n are used instead of V ; Ŵ 2 G.As mentioned above, factorization of n is unknown and so, adversary cannot distinguish between G and Z * n .)Then, in the CCA scenario, the adversary can use the decryption oracle to answer questions (i.e., ŵ ¼ vx ?) of the form dhpðu ¼ g x ; v; ŵÞ for elements vð2 Z * n Þ and ŵð2 Z * n Þ of the adversary's choosing.The adversary cannot efficiently answer such questions on his own(if he can, DDH assumption is broken in G), and so the decryption oracle is leaking some information about that secret key x which could potentially be used to break the encryption scheme.
From the facts above, ICDH assumption which is used in the CCA security of hashed ElGamal over G can be defined as follows.
ICDH assumption: It is difficult to compute dh(U, V), given random U2G and V2G, along with access to decision oracle for the predicate dhp(U,�,�), which on input ð Note.Gap DH assumption where an adversary gets access to a full DH decision oracle for the predicate dhp(�,�,�), which on input ð Û ; V ; ŴÞ, returns dhpð Û ; V ; Ŵ Þ is different (and stronger) than ICDH assumption where an adversary gets access to a restricted DH decision oracle for the predicate dhp(U,�,�), which on input ð V ; Ŵ Þ, returns dhpðU; V ; ŴÞ.In other words, ICDH assumption (where the first element of the triplets submitted to the DH decision oracle is fixed) is implied by the Gap DH assumption (where the first element can be freely chosen) [7,17,40,41].
Following Theorem2 shows that if ICDH assumption is broken in G, then it is possible to break RSA assumption.
Theorem 2: Assume ICDH assumption is (t, q dh , ε)-broken in group G, where q dh is the number of queries to "DH-decision oracle" and ε is the probability to break the assumption in time t.Then, RSA assumption is (t, q dh , ε/8)-broken when safe primes are used.
Proof.Let B be an attacker which (t, q dh , ε)-breaks ICDH assumption in group G.We present an adversary A which (t, q dh , ε/8)-breaks RSA assumption when modulus n is the product of two safe primes.Let e be the public exponent and d be the private exponent.Adversary A is given as input (n, e, r) where r was chosen at random from Z * n and is trying to find r d mod n.In RSA, anyone can obtain the pair of elements (h, h d ), where h is an element of Z * n , by selecting arbitrary element u 2 Z * n and setting h = u e mod n(i.e., u = h d mod n).Besides, anyone can obtain the arbitrary element v 2 Z * n by multiplying e th power of arbitrary element s 2 Z * n and r (i.e., v = s e r mod n).Assume that h is a generator of G and v is an element of G(i.e., v = h a ).Then, the ICDH attacker B can obtain v d = h ad from elements u = h d and v = h a with success probability ε and running time t, making q dh queries to "DH-decision oracle" that recognizes DH-triples of form In this case, "DH-decision oracle" is different from the one of hashed ElGamal.First, in order to determine whether or not any triple e., vd ¼ ŵ?), the ICDH attacker B checks that ŵe ¼ v using RSA public exponent e on his own without making queries to the challenger, because modular inverse of private key (i.e., e = d −1 mod λ) is published in RSA, unlike hashed ElGamal.In other words, "DH-decision oracle" can be done off line(This creates more favorable conditions to B than in hashed ElGamal's DH-decision oracle) by B and so, A need not simulate "DH-decision oracle" to answer B's query.
Second, the computational cost per iteration of "DH-decision oracle" query is comparable to hashed ElGamal.
In RSA, small public exponents are commonly used (i.e., RSA assumption still holds for small public exponents such as 3 and 65537) and so, for given ðu; v; ŵÞ, calculation of ṽ ¼ ŵe for the test (ṽ ¼ v?) is much faster(This also creates favorable conditions to B) than the calculation of "DH-decision oracle" of hashed ElGamal in G (i.e., calculation of k ¼ Hðv; ŵÞ; ĉ ¼ E s ð k; mÞ; w ¼ vx ; k ¼ Hðv; wÞ and m * ¼ D s ðk; ĉÞ for the test ( m ¼ m * ?)) because log n x�1.Even though full sized public exponent e(log n e�1) is used [42] in RSA, computation of ŵe is comparable to the computation of vx of decryption oracle in hashed ElGamal.
Of course, the generator and element of G are unknown to B. Hence, adversary A must select h (= u e ) and v (= s e r mod n) as a generator and an element of G, respectively, and run the ICDH attacker B on input (u(= h d ),v) in order to get v d .
Meanwhile, many elements of Z * n can become the generator or element of G. Hence, when adversary A selects h and v as random elements of Z * n (this is accomplished by anyone in RSA as mentioned above), h a generator and v becomes an element of G with high probability.
Let p0 ¼ pÀ 1 2 and q0 ¼ qÀ 1 2 .From Algorithm3.3, the order of G is λ = 2p 0 q 0 and so, the probability that random element v2Z n is included in G is as follows.
The group of order λ has ϕ(λ) generators, where ϕ is Euler phi function.Hence, the probability that random element h2Z n becomes a generator of G is as follows.

Pr½Genertorðh; GÞ
From Eqs ( 6) and ( 7), the probability that h is a generator of G and v is included in G for arbitrarily selected h and v is as follows.

Pr½Genertorðh; GÞ
Hence, with probability at least 1/8, A can select h and v as a generator and element of G, respectively, and give B the challenge instance From all facts above, it can be seen that if ICDH assumption is (t, q dh , ε)-broken in G, then it is possible to (t, q dh , ε/8)-break RSA assumption.(end of proof) Even though safe primes p and q are used, RSA assumption have been believed not to be broken(regardless of whether public exponent e is small or large) and so, ICDH assumption holds in G from Theorem2.
From the above fact, referring to [10], following Theorem3 can be obtained.
By combining ( 10), ( 11), ( 12) and ( 13), we can obtain (9).(end of proof) Composite number is used as modulus number and so, CRT can be used to speed up decryption of hashed ElGamal in G.However, in decryption, this scheme is still not fast because big prime numbers(1024bit and 7680bit prime numbers are needed to be secure from the current attacks and quantum computing attacks, respectively.)are used.To increase the decryption speed by parallel processing, we modified the logical structure of hashed ElGamal as follows.

Parallel scheme
Let T d denotes the decryption time of a single ciphertext block which has the bitlength of modulus and N denotes the number of processors.Then, it is trivial that N ciphertext blocks can be decrypted by N processors in time T d using parallel processing.However, this does not mean that a single ciphertext block can be decrypted in time T d /N.In other words, no message is recovered in time T d /N even by parallel processing in hashed ElGamal.In order to decrypt a single ciphertext block in time T d /N by parallel processing, we modify the logical structure of hashed ElGamal as follows.
Key generation is same as the hashed ElGamal in G and so, we describe only the encryption and decryption algorithms.
Encryption and decryption use the CCA secure symmetric encryption (E s , D s ) defined over (K s , M s , C s ) and hash function H(G 2 !K s ).
Algorithm 3.6: Encryption for parallel scheme.User encrypts a message m2M s , where M s is a message space of (E s , D s ).
Step1.Obtain authentic public key (g, u, n) and set h 2 dr/2e and g 1 g h , where n is 2r-bit number.
Step2.Select a random integer y(1<y<n) and compute group elements v g y ; v 1 g y 1 ; w u y and hash value k s H(v,w).In this case, v 1 ¼ g hy ¼ g yh ¼ v h .Step3.Encrypt the message m by using symmetric encryption E s and key k s .

c E s ðk s ; mÞ
Step4.Send the cipher text ðv 2 G; v 1 2 G; c 2 C s Þ. C s is a cipher text space of (E s , D s ).Algorithm 3.7: Decryption for parallel scheme.User recovers message m from (v, v 1 , c).
Step1.Compute the group element w v x and hash value k s H(v, w).Calculation of w can be done fast by using r-bit CRT exponents x p hx 1p þ x 0p and x q hx 1q þ x 0q , where h = 2 dr/2e and 0 < x 0p ; x 1p ; x 0q ; x 1q < h.Step1.1.Calculate v p v mod p; v q v mod q; v 1p v 1 mod p; v 1q v 1 mod q and q inv ¼ q À 1 mod p. Step1.2.Calculate p mod pð¼ v x p p mod pÞ and q mod qð¼ v x q q mod qÞ: Step1.3.Calculate w as follows.
Step2.Recover the message m by using symmetric decryption D s and key k s .m D s ðk s ; cÞ 1q mod q and v x 0q q mod q can be calculated in parallel and so, it seems that private key length is reduced to 1/2 in hashed ElGamal.(Of course, without parallel processing, the calculation of v q mod q can be done fast by simultaneous multiple exponentiation algorithm [37]).
In security, parallel scheme is identical to hashed ElGamal in G.
In parallel scheme, h (= 2 dr/2e ) does not provide any information except for the bit size of private key, which has been known to be approximately equal to modulus number's bitlength (i.e., 2r).In other words, some ðg hy mod n ¼ g yh mod n ¼ v h mod nÞ of calculation needed in decryption (v d mod n) has been only pre-calculated at the encryption stage.
This can be seen from the following Theorem4.Theorem4.Assume that parallel scheme is (t, ε)-broken, where ε is the probability to break the encryption scheme in time t.Then, hashed ElGamal in G is also (t, ε)-broken.
Proof.Assume that B is an adversary which (t, ε)-breaks the one-wayness of parallel scheme.Then, we present adversary A which (t, ε)-breaks the one-wayness of hashed ElGamal in G. Let (g, u, n) be the public key and x be the private key of hashed ElGamal.Adversary A is given as input (g, u, n, c, v) and is trying to find the plaintext m, where (c, v) is the ciphertext.In hashed ElGamal, anyone knows the bit size of modulus number(i.e., 2r) and can obtain h = 2 dr/2e .Hence, A can obtain h (= 2 dr/2e ) and give B the challenge instance (g, u, n, c, v, v h ).From the assumption, B is given as input (g, u, n, c, v, v h ) and outputs m ¼ D s ðHðv; v x Þ; cÞ.If and when B outputs m, A outputs m.
In the same way above, we can present the IND-CPA(or IND-CCA) adversary A to hashed ElGamal in G from the IND-CPA(or IND-CCA) adversary B to parallel scheme.From all facts above, it can be seen that if parallel scheme is (t, ε)-broken, then it is possible to (t, ε)-break hashed ElGamal in G. (end of proof) Similarly, it is possible to reduce the decryption time by setting h = 2 dr/3e .In this case, ciphertext ðg y ; g hy ; g h 2 y ; cÞ can be decrypted in parallel by using private key x 0p ; x 1p ; x 2p ; x 0q ; x 1q ; x 2q instead of x p ¼ ðx 2p x 1p x 0p Þ h and x q ¼ ðx 2q x 1q x 0q Þ h , where (X 2 X 1 X 0 ) h is the base h representation of X.In other words, g yx p mod p ¼ g yx 0p g yhx 1p g yh 2 x 0p mod p and g yx q mod q ¼ g yx 0q g yhx 1q g yh 2 x 0q mod q In such way, it is possible to propose the fast ElGamal variants which is t(t = 2,3,4,. ..) times faster than ordinary hashed ElGamal in G.Of course, in this case, there is message expansion by a factor of t.However, when considering the current network throughput and the fact that PKE is used only to establish a session key, drawback caused from the message expansion could be ignored compared to the benefit gained by speed-up.
Note.Unlike the parallel scheme, the scheme of [43] compromises the security of hashed ElGamal because CRT exponents x p and x q are reduced.

Performance analysis
Let t denotes the number of processors participating in parallel processing.When 2r bits modulus number is used, expected decryption speed-up factor β can be denoted as follows.
Note.Let T M denotes the modular multiplication time of two r-bits numbers.Then, t numbers can be multiplied in time dlog 2 te T M by parallel processing with μ(�dt/2e) processors.
Table 2 shows the theoretical decryption time comparison of CRT-RSA, hashed ElGamal in G and parallel scheme.
As shown in Table 2, β�t is usually satisfied when r is much larger than t.However, Hamming weight(which is the number of ones in binary representation) of r-bits number is not always actually r/2 and so, exact decryption speed-up factor can be denoted as , where V, W, V i and W i denotes the Hamming weights of x p , x q , x ip and x iq , respectively.In Eq (15), we used max{V i |1�i�t} (or max{W i |1�i�t}) instead of P t i¼1 V i =t (or P t i¼1 W i =t) considering the delay associated with synchronizing parallel processes.
If w p and w q are calculated simultaneously by using parallel processing (In this case, 2t processors are needed), then In order to obtain an average value of � b, we ran the key generation algorithm 1000 times, each of which included 100 different x values.When the common multicore CPUs of Intel or AMD are used in parallel processing, t is usually small(i.e., t<16).If many core GPUs of NVIDIA or multi-CPUs are used in parallel processing, then t is not small.However, it is not practical to set t too large(i.e., t>256) because of message expansion.As shown in Fig 1, � b is slightly small than β because V and W are similar to r×0.5, but max{V i |1�i�t} and max{W i |1�i�t} are usually larger than d r t e � 0:5 (See S1 to S4 Tables).Meanwhile, the effectiveness (β/t or � b=t) decreases with increasing the number of processors and increases with increasing modulus number.
Consequently, our scheme gives the possibility to propose the fast public key cryptosystem which is approximately � bð4 � bÞ times faster than CRT-RSA(typical RSA) and hashed ElGamal in G. Table 3 shows the practical execution time comparison between parallel scheme and CRT-RSA.
Timings were made on 3.6GHz Core i7-7700 desktop using Open SSL and can be treated as a relative guideline.We ran the decryption algorithm 1000 times varying keys, each of which included 100 different messages, and obtained the averages.In all measurements, mod p and mod q exponentiation were done serially and delays by hash function and symmetric encryption were ignored because it is very small compared to modular exponentiation of big integers.As shown in Table 3, our parallel schemes are about 1.86(t = 2) and 3.56(t = 4) times faster, respectively, than CRT-RSA in decryption, but have the ciphertext overhead increased in proportion to the number of processors.
Overall, the results presented above show that our scheme is suitable to encrypt and decrypt short messages such as session key, credit card information and PIN(Personal Identification Number) code at high speed in multi-core and many-core platforms.

Discussion
The purpose of converting large private key into the group of small private keys is to reduce the secret exponentiation time by parallel processing.Our technique does not affect the security of original hashed ElGamal, because r-bit private key x p (x q ) is simply divided into two r 2 -bit halves x 0p and x 1p (x 0q and x 1q ) by h = 2 dr/2e .However, one could reduce the secret exponentiation time further by choosing hðlog n h � 1Þ so that x 0p , x 1p , x 0q and x 1q are extremely small(i.e., 0 < x 0p ; x 1p ; x 0q ; x 1q < 2 r0 and r 0 <r/2).In this case, for the security problem, log n x 0 � log n x 1 � 1 must be satisfied for x 0 and x 1 such that hx 1 þ x 0 ¼ x mod φðnÞ, x 0p ¼ x 0 modðp À 1Þ; x 1p ¼ x 1 modðp À 1Þ; x 0q ¼ x 0 modðq À 1Þ and x 1q ¼ x 1 modðq À 1Þ.Of course, the time required for encryption is not affected by the selection of h because g 1 = g h is calculated only once in the system.It is an open problem whether there is an attack on parallel scheme when x 0p , x 1p , x 0q and x 1q are small.

Conclusion
ICDH assumption is known to be hold only in bilinear group with complex structure.We first proved that ICDH assumption holds in the simple integer group and proposed the CCA secure hashed ElGamal encryption, the security of which is proved in the random oracle model.Our scheme is superior in ciphertext overhead and exponentiation cost to other CCA secure ElGamal variants based on integer group such as Cramer Shoup scheme and twin ElGamal because it maintains the concise style of plain ElGamal.We also sped up decryption of CCA secure hashed ElGamal by parallel processing.Our parallelization scheme does not affect the security since the some operations for decryption have been only pre-calculated at encryption stage and the private key itself is not reduced compared to the hashed ElGamal.By using parallel scheme, it would be possible to use ElGamal in integer group when the big modulus numbers (15360 bit) are used in order to resist quantum computing attack.We expect our finding to be widely applied to the platforms equipped with multicore CPUs or many core GPUs.

Fig 1
Fig 1 shows the relation between β and �b in different t values.In order to obtain an average value of � b, we ran the key generation algorithm 1000 times, each of which included 100 different x values.When the common multicore CPUs of Intel or AMD are used in parallel processing, t is usually small(i.e., t<16).If many core GPUs of NVIDIA or multi-CPUs are used in parallel processing, then t is not small.However, it is not practical to set t too large(i.e., t>256) because of message expansion.As shown in Fig1, �b is slightly small than β because V and W are similar to r×0.5, but max{V i |1�i�t} and max{W i |1�i�t} are usually larger than d r t e � 0:5 (See S1 to S4 Tables).Meanwhile, the effectiveness (β/t or � b=t) decreases with increasing the number of processors and increases with increasing modulus number.Consequently, our scheme gives the possibility to propose the fast public key cryptosystem which is approximately � bð4 � bÞ times faster than CRT-RSA(typical RSA) and hashed ElGamal in G.

Table 1 . Comparison between hashed Elgamal and other CCA-secure Elgamal protocols in efficiency.
Note. g, g 1 and g 2 denote the generators of multiplicative cyclic group.H denotes the hash function.E s and D s denote the symmetric encryption and decryption.

s is modeled as a random oracle and symmetric encryption (E s , D s ) is CPA secure (i.e., is semantically secure against Chosen Plaintext Attack), then hashed ElGamal in G is CPA secure. Proof.
Assume that there exists an IND(Indistinguishability)-CPA adversary A which makes at most Q queries to the random oracle and has advantage ε EG in hashed ElGamal.Then, we present CDH adversary B cdh which has advantage ε cdh in group G and IND-CPA adversary Bs which has advantage ε s in symmetric encryption (E s , D s ) such that 3. Calculate w as follows.w ððw p À w q Þq inv mod pÞq þ w q Step1.4.Calculate k s H(v, w).Step2.Recover the message m by using symmetric decryption D s and key k s .m D s ðk s ; cÞ Because CDH and DDH assumptions are satisfied in G [9], following Theorem1 can be obtained referring to [10].Theorem 1.If H : Z * n 2 !K Theorem 3. If H : Z * n 2 !K s is modeled as a random oracle and symmetric encryption (E s , D s ) is CCA secure(i.e., is semantically secure against Chosen Ciphertext Attack), then hashed ElGamal in G is CCA secure.EG in hashed ElGamal.Then, we present ICDH adversary B icdh which has advantage ε icdh in group G and IND-CCA adversary Bs which has advantage ε S in symmetric encryption (E s , D s ) such Hence, we can also use adversary A to build IND-CCA adversary B s in symmetric encryption (E s , D s ).From the definition of IND-CCA adversary, Proof.Assume that there exists an IND-CCA adversary A which has advantage ε